02-05-2013 05:55 AM - edited 03-11-2019 05:56 PM
Good day all,
short question....
I setup a new ASA for our branch office everything is working fine. But I have a little problem with the ASA.
I try to configure that my ASA in the branch office can resolve internal host to IP. Problem is that our internal DNS servers located in a different location and DNS is working over a VPN. This is working for the branch office client but not for the ASA.
Have somone an Idea or is it by design....?
Thanks Markus
Solved! Go to Solution.
02-05-2013 09:24 PM
The reason why it's not working is most probably because the ASA route the dns packet via its outside interface, hence the source IP is the ASA outside interface, while your VPN crypto ACL does not include the ASA outside interface, hence it's failing via the VPN.
To fix the issue, you can include the branch office ASA outside interface into the crypto ACL as the source ip towards the remote LAN, and mirror image ACL on the remote crypto ACL as well.
You would also need to configure NAT exemption on the remote server to NAT exemption between the remote LAN towards the branch office ASA outside interface.
Hope that helps.
02-06-2013 05:58 PM
Example:
if your branch ASA outside interface is 1.1.1.1, and the remote LAN is 192.168.1.0/24, then:
branch ASA:
crypto ACL: permit ip host 1.1.1.1 192.168.1.0 255.255.255.0
remote ASA:
crypto ACL: permit ip 192.168.1.0 255.255.255.0 host 1.1.1.1
the above is in addition to crypto ACL that you already have in place.
And on the remote ASA:
your NAT exempt will be the same as your crypto ACL
02-05-2013 09:24 PM
The reason why it's not working is most probably because the ASA route the dns packet via its outside interface, hence the source IP is the ASA outside interface, while your VPN crypto ACL does not include the ASA outside interface, hence it's failing via the VPN.
To fix the issue, you can include the branch office ASA outside interface into the crypto ACL as the source ip towards the remote LAN, and mirror image ACL on the remote crypto ACL as well.
You would also need to configure NAT exemption on the remote server to NAT exemption between the remote LAN towards the branch office ASA outside interface.
Hope that helps.
02-06-2013 06:56 AM
Hi Jennifer,
thanks for your response. So for beginners.... I have to create the crypto like this scheme
branch_asa crypto acl
src: 192.168.0.0 --- dst: 192.168.1.0
src: 1.1.1.1
remote_asa crypto acl
src: 192.168.1.0 --- dst: 192.168.0.0
src: 2.2.2.2
Thanks,
Markus
02-06-2013 05:58 PM
Example:
if your branch ASA outside interface is 1.1.1.1, and the remote LAN is 192.168.1.0/24, then:
branch ASA:
crypto ACL: permit ip host 1.1.1.1 192.168.1.0 255.255.255.0
remote ASA:
crypto ACL: permit ip 192.168.1.0 255.255.255.0 host 1.1.1.1
the above is in addition to crypto ACL that you already have in place.
And on the remote ASA:
your NAT exempt will be the same as your crypto ACL
02-07-2013 02:48 AM
Hi,
perfect. That is working.
Thanks Markus
02-07-2013 03:59 AM
Excellent, thanks for the update.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide